ubuntu

How to properly organize the server so that each site has its own user?

Hello, please tell me, there is a server (VDS) on nginx, there is one site, several more sites are planned on this server (VDS) in the future, I would like to make sure that each site has its own user, and with the help of this user already execute various actions with the site, for example, do git pull via ssh, etc. And for security purposes, too, so that, for example, a user of one site cannot access another site.

I'm currently trying to do something like this:

1. I create a new user for the site: useradd user1well, and accordingly I set a password for this user and a base directory was created in/home/user1
   
2. I create a new home folder for the user and a folder for the site /var/www/user1/data/www/example.ru, and starting from the user1 folder, the owner and group user1 are set on folders and files
   
3. In /etc/passwdI overwrite the base directory for the user user1, I get the following entry:
   user1:x:1000:1001:Sergey,,,:/var/www/user1/data:/bin/bash
   
4. Further, my logic is this, user1 - this user is used to connect via ssh, but I still need ftp, I create a new user ftpuser1, his home folder is /var/www/user1/data, and I set the primary group for this user to user1. And I disable ssh access for ftpuser1, it's just possible that someone else will need to provide ftp access, and so that this ftp user cannot connect via ssh.
   
5. ssh works, ftp works, now I upload the site files example.ruto the laravel project folder, I made all the settings with the site.
   

As a result, I have two problems, and they are all related to rights, sort of like:

1. If I upload files to the server under ftpuser1, then user1 can no longer delete them, but I would like user1 and ftpuser1 to have the same rights and be able to delete, change each other's files, for example, the img folder, I threw it on the server under ftpuser1 and it has 755 [drwxr-xr-x] permissions, I can’t delete it under user1 now, if I change the permissions to 775 [drwxrwxr-x], then I can delete it if I upload this folder again via ftpuser1 the permissions will be 755 [drwxr -xr-x], probably it is possible to do something like that, so that it would not be necessary to change the rights before each operation?
   

2. Problem with the storage folder
The first error I get when I go to the site

The stream or file "/var/www/user1/data/www/example.ru/storage/logs/laravel.log" could not be opened in append mode: failed to open stream: Permission denied

Permissions on laravel.log - 664 [-rw-rw-r--]
Permissions on folder logs - 775 [drwxrwxr-x]
If I change permissions on laravel.log file - 666 [-rw-rw-rw-], then an error leaves

Then again the error:

file_put_contents(/var/www/user1/data/www/example.ru/storage/framework/sessions/ckX60GiELzZh2hvPSOviGoPhHV7eu2w6jxTGL5Sa): failed to open stream: Permission denied

Permissions on the sessions folder - 775 [drwxrwxr-x]
If I change the permissions on sessions - 777 [drwxrwxrwx], the error goes away

And the last error, there is such a folder /storage/framework/viewswhen I cache view files using the command php artisan view:cache, files with permissions 664 are created in this folder [- rw-rw-r--], sometimes laravel adds changes to these files, and accordingly, with such rights, it cannot add anything, an error occurs:

file_put_contents(/var/www/user1/data/www/example.ru/storage/framework/views/3a754a39b6fbbfc12ae706bdbb58d5d83ed2c712.php): failed to open stream: Permission denied

If I change the permissions of 3a754a39b6fbbfc12ae706bdbb58d5d83ed2c712.php to 666 [-rw-rw-rw-], then the error goes away.
But then anyway, if I execute the command php artisan view:cache, new files with permissions 664 [-rw-rw-r--] will appear and the error will repeat.

Tell me please , maybe I'm doing something wrong, or I'm missing something , I found an article like this yesterday, I think I can do it so that the scripts on the site will run on behalf of user1, for example, maybe this will solve the problem? But what if I didn't have Nginx on the server, but Apache?

Now I understand that the scripts on the site are run on behalf of www-data


Thank you in advance for your answer.